Access control is a security measure that is employed in computer systems to protect its data from unauthorized accesses and hence, mitigates the potential misuse of it by users or other computer systems. Access control policies configure the access control behavior of a system and constitute a set of rules that reflect either law, enterprise specific regulations or nowadays, even user specific preferences.
Today, computer systems are vastly used to assist us in both our everyday working activities, but also our private and social life. As a consequence, a wide range of data is available, stored and combined to form new processable content. Despite better work efficiency or being otherwise beneficial to our personal activities, the increase of available data also poses risks: Privacy e.g. is an accompanying concern and is strongly associated with the collection of person-identifying information.
The administration of access control has originally been a task executed by dedicated administrative staff. With person specific concerns like privacy, the administration of access control needs to be shifted more and more towards regular (i.e. non-expert) users. Usability of corresponding policy administration tools, understandability of the underlying access control mechanisms and awareness about consequences of employed policies are key factors to successfully integrate regular users into access control administration activities.
In this thesis we propose a flexible access control administration model that is domain specific in the sense that it considers multiple types of policy administering users, e.g. by adapting to their individually varying expertise and that it defines scenarios of policy administration that build on top of typical domain working activities. This model is called the Scenario based Access Control (ScenBAC) administration model.
Additional contributions in this thesis are a thorough analysis of general requirements of access control policy administration tools - a precursor to our research on ScenBAC, a study in electronic healthcare that delivers the required aspects to shape an example use case domain for employing ScenBAC and reference implementations of a modeling and development framework as well as a healthcare specific policy administration tool.
The evaluation of ScenBAC shows that it is a promising approach for domains in which access control policies are repeatedly a subject to change and where the administration of access control is typically carried out by multiple different users. Usability of ScenBAC based administration tools has been a specific focus of our research evaluation.